Open source software security

Full Disclosure

There has been a lot of debate over the years about "full disclosure". This is the practice whereby security researchers publish their findings to the world. It's a thorny debate and my opinions have changed over time. I've been the subject on the receiving end of a vulnerability disclosure in the past. In that case I only noticed the disclosure because I follow security announcements.

So called "responsible disclosure" holds that a researcher should contact a vendor when they find a vulnerability in software. In my case, I was never contacted, which is one extreme in disclosure. The other extreme is to work closely with the vendor until a patch is created, but to never really release details of the vulnerability. Many people fall in the middle - notifying a vendor and working with them until a patch is released, then disclosing the vulnerability. Often these disclosures are made to security mailing lists such as bugtraq or full-disclosure.

Researchers don't often get paid for finding vulnerabilities. They usually release details to educate the community or to gain fame/notoriety. Releasing details of a vulnerability allows the consumers of the technology to be informed of the dangers associated with utilizing the system or technology and either protect their resources or opt to turn off the service. If security researchers can find holes in software, then so can black hats. By volunteering their time to find security vulnerabilities and telling the world about them the researchers empower consumers by educating them about risks that black hats may already be aware of. Finding vulnerabilities is also a good way for researchers to get their name out and build a reputation.

Many vendors don't appreciate the work that security researchers are doing. It sometimes happens that vendors ignore warnings from security researchers about vulnerabilities, or even threaten legal action if the researchers disclose the vulnerability. Often times working with vendors can be frustrating, especially if patches are slow in coming. Every day a researcher waits to disclose a vulnerability is another day that the black hats can be exploiting the vulnerability (using a so-called 0-day, meaning an exploit for a vulnerability that hasn't been disclosed and for which there is no patch). The delay also means that another security researcher could disclose the vulnerability, thus usurping the publicity and credit for the find.

Over the past weeks and months I've been spending some of my free time looking into Drupal modules, searching for vulnerabilities. One vulnerability in particular has been very frustrating. I discovered it at the start of July, and a patch still hasn't been released, nor has an announcement been made. Partly in response to this I disclosed the Answers module vulnerability on September 9th. The Drupal security team has assured me they will make a security announcement this Wednesday, September 15 17th. I'm closely awaiting that announcement to gauge how best to handle other module vulnerabilities I have found. I'm particularly concerned that I will not be given credit in the announcement, which is a disincentive for any researcher to share their findings with the Drupal security team. At this point, however, I'm just speculating. I'm going to go ahead and wait until Wednesday and see what happens. If, however, my suspicions are proven correct keep an eye on my blog for quite a few more, and nastier, Drupal module vulnerabilities.